summaryrefslogtreecommitdiff
path: root/dom/base/test/browser_bug593387.js
diff options
context:
space:
mode:
Diffstat (limited to 'dom/base/test/browser_bug593387.js')
-rw-r--r--dom/base/test/browser_bug593387.js70
1 files changed, 70 insertions, 0 deletions
diff --git a/dom/base/test/browser_bug593387.js b/dom/base/test/browser_bug593387.js
new file mode 100644
index 0000000000..aa4f9dc0f7
--- /dev/null
+++ b/dom/base/test/browser_bug593387.js
@@ -0,0 +1,70 @@
+/*
+ * Test for bug 593387
+ * Loads a chrome document in a content docshell and then inserts a
+ * X-Frame-Options: DENY iframe into the document and verifies that the document
+ * loads. The policy we are enforcing is outlined here:
+ * https://bugzilla.mozilla.org/show_bug.cgi?id=593387#c17
+*/
+
+add_task(function* test() {
+ yield BrowserTestUtils.withNewTab({ gBrowser,
+ url: "chrome://global/content/mozilla.xhtml" },
+ function* (newBrowser) {
+ // NB: We load the chrome:// page in the parent process.
+ yield testXFOFrameInChrome(newBrowser);
+
+ // Run next test (try the same with a content top-level context)
+ yield BrowserTestUtils.loadURI(newBrowser, "http://example.com/");
+ yield BrowserTestUtils.browserLoaded(newBrowser);
+
+ yield ContentTask.spawn(newBrowser, null, testXFOFrameInContent);
+ });
+});
+
+function testXFOFrameInChrome(newBrowser) {
+ // Insert an iframe that specifies "X-Frame-Options: DENY" and verify
+ // that it loads, since the top context is chrome
+ var deferred = {};
+ deferred.promise = new Promise((resolve) => {
+ deferred.resolve = resolve;
+ });
+
+ var frame = newBrowser.contentDocument.createElement("iframe");
+ frame.src = "http://mochi.test:8888/tests/dom/base/test/file_x-frame-options_page.sjs?testid=deny&xfo=deny";
+ frame.addEventListener("load", function loaded() {
+ frame.removeEventListener("load", loaded, true);
+
+ // Test that the frame loaded
+ var test = this.contentDocument.getElementById("test");
+ is(test.tagName, "H1", "wrong element type");
+ is(test.textContent, "deny", "wrong textContent");
+ deferred.resolve();
+ }, true);
+
+ newBrowser.contentDocument.body.appendChild(frame);
+ return deferred.promise;
+}
+
+function testXFOFrameInContent(newBrowser) {
+ // Insert an iframe that specifies "X-Frame-Options: DENY" and verify that it
+ // is blocked from loading since the top browsing context is another site
+ var deferred = {};
+ deferred.promise = new Promise((resolve) => {
+ deferred.resolve = resolve;
+ });
+
+ var frame = content.document.createElement("iframe");
+ frame.src = "http://mochi.test:8888/tests/dom/base/test/file_x-frame-options_page.sjs?testid=deny&xfo=deny";
+ frame.addEventListener("load", function loaded() {
+ frame.removeEventListener("load", loaded, true);
+
+ // Test that the frame DID NOT load
+ var test = this.contentDocument.getElementById("test");
+ Assert.equal(test, null, "should be about:blank");
+
+ deferred.resolve();
+ }, true);
+
+ content.document.body.appendChild(frame);
+ return deferred.promise;
+}